dig is now IDN enabled and ‘*’ is not a valid not a legal IDN name. Adding `+noidnin` turns of IDN processing (as does piping the dig to another shell command).
e.g. dig +noidnin '*.wildcard.rfc1925.org' dig '*.wildcard.rfc1925.org' | cat works. Ondrej -- Ondřej Surý (He/Him) ond...@sury.org > On 24. 11. 2021, at 17:03, Jörgen Hägg <j...@axis.com> wrote: > > Package: dnsutils > Version: 1:9.17.20-2 > Severity: normal > X-Debbugs-Cc: j...@axis.com > > > > > -- System Information: > Debian Release: bookworm/sid > APT prefers oldoldstable > APT policy: (500, 'oldoldstable'), (500, 'unstable'), (101, 'experimental') > Architecture: amd64 (x86_64) > Foreign Architectures: i386 > > Kernel: Linux 5.14.0-3-amd64 (SMP w/8 CPU threads) > Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE, > TAINT_UNSIGNED_MODULE > Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), > LANGUAGE=en_SE:en_US:en_GB:en > Shell: /bin/sh linked to /bin/bash > Init: systemd (via /run/systemd/system) > LSM: AppArmor: enabled > > Versions of packages dnsutils depends on: > ii bind9-dnsutils 1:9.17.20-2 > > dnsutils recommends no packages. > > dnsutils suggests no packages. > > -- no debconf information > > ------------------------------------------------------ > (domain obfuscated) > > "dig '*.xxx.yyy.example.com' any" returns this: > > dig: '*.xxx.yyy.example.com' is not a legal name (empty label) > > I get the same answer no matter what domain I test, be there > a real wildcard record or not. > > Version 1:9.17.19-3 seems to work. > This is an example from version 1:9.11.5.P4+dfsg-5.1+deb10u6: > > *.xxx.yyy.example.com. 10800 IN CNAME xxx.yyy.example.com. > > -------------------------------------- > dig '*.example.com' any > > Older: > ;*.example.com. IN ANY > > Current: > dig: '*.example.com' is not a legal name (empty label) >
